[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: from / to /usr/: a summary

* Philipp Kern <trash@philkern.de> [111227 04:04]:
> > As you pointed out so nicely: modules_disabled is only a replacement if
> > you have a custom initramfs and do not allow that to be modified
> > automatically. So from the point of the original discussion,
> > modules_disabled is no solution.
> You just stuff a file into /etc/initramfs-tools/local-bottom and regenerate the
> initramfs.  I think that's much less effort than recompiling the kernel with
> the right bits built-in.

Building a custom kernel is almost no efford at all. Building a minimal
one is a bit more efford.

But that part is exactly the same as needed for creating a
local-bottom: You have to know which modules you need to load before
disabling modules.

And what use is a /etc/initramfs-tools handling if you cannot create the
initramfs on the system or you would defeat the security?

You could argue as well that people wanting a kernel without initramsfs
have no problem with /usr to be mounted early, they just have to write
some parts into the correct part of /etc/rcS to have /usr mounted before
anything else is done.

> I'll grant the "boot the kernel from the outside" bit, but then I could just
> kexec into my new kernel, if the admin wasn't careful enough.

Kexec will of course not work. Otherwise there was something done
horribly wrong (like forgetting to patch out {k,}mem).

Reply to: